Cloud Computing based Forensic Analysis for Collaborative Network Security Management Systems

Zhen Chen, Fuye an, !unwei Cao, and Shuo Chen "esearch #nstitute of #nformation $echnology %epartment of Computer Science & $echnologies %epartment of Automation $singhua National 'aboratory for #nformation Science and $echnology ($N'ist) $singhua *niversity, +ei,ing -.../0, 12 "2 China Abstract - Internet security problems are still a big challenge as there are many security events occurred, such as Internet worms, Spam and phishing attacks etc. Botnet, a well-organized distributed network attack, consists of a large volume of bots, which generates huge volumes of spam or launching Distributed Denial-of-Service DDoS! attacks to victim hosts. "his new emerging botnet attack makes Internet security status even worse. "o address these problems, a practical #ollaborative $etwork Security %anagement System is proposed with well deployed collaborative &"% &nified "hreat %anagement! and traffic probers. Such distributed security overlay network with a centralized Security #enter leverage a 'eer-to-'eer communication protocol used in &"%(s collaborative module and virtually interconnect them to e)change network events and security rules. *lso security functions for &"% are retrofitted to share security rules. In this paper, we propose a design and implementation of cloud based Security #enter for network security forensic analysis. +e propose to use cloud storage to keep collected traffic data and processing it with cloud computing platform to find the malicious attacks. * workable case, phishing attack forensic analysis is presented and the re,uired computing and storage resources are evaluated based on real trace data. #loud based Security #enter can instruct each collaborative &"% and prober to collect events and raw traffic, sent them back for deep analysis and to generate new security rules. "hese new security rules are enforced by collaborative &"% and the feedback events of such security rules are also returned to Security #enter. By this type of close-loop control, the #ollaborative $etwork Security %anagement System can identify and address new distributed attacks more ,uickly and effectively. Key word: #loud #omputing, -verlay $etwork, #ollaborative $etwork Security System, #omputer forensics, *nti-Botnet, *nti-'hishing, .adoop /ile System, 0ucalyptus, *mazon +eb Service.

-2 #ntroduction and +ackground

*s Internet plays a more and more key role as information infrastructure, e-business and epay in Internet is booming due to its convenience and benefits for users. Internet security problems are still a big challenge as there are many security events occurred. "he underground economics based on Internet Scam and /raud is also booming. "hese attackers initiate more and

more 0-crime attacks and abuse, such as Spams, 'hishing attack, Internet worms etc. /irewalls, Intrusion Detection System IDS! and *nti-1irus 2ateway are now widely deployed in edge-network to protect end-systems from the attacks. +hen the malicious attacks have fi)ed patterns, they can be easily identified and matching these patterns345-678. .owever, sophisticated attacks are distributed over the Internet, and have fewer characteristics and evolved ,uickly. /or e)ample, the Distributed Denial of service DDoS! contains very few, if any, signatures strings to identify. $owadays DDoS attacks are likely launched by a large volume of bots which forms a Botnet controlled by bot master. "he bots are commanded to generate attack new victim machine and enlarge botnet. "he bots also commanded to conduct other issues such as disseminating spam or launching Distributed Denial-of-Service DDoS! attacks to victim hosts. "o countermeasure botnet, secure overlay is proposed. "o prevent such distributed attacks, collaboration is a way need to be taken. #ollaborative intrusion detection system is reviewed by researches in 3498. By collaboration, the network security system could realize scalability, teamwork, and has a bigger picture of events in the whole network. +ith collaboration, an algorithm is presented to improve the alert event(s accuracy by aggregate information from different sources in 34:8. * similar alert correlation algorithm 34;8 is put forward which is based on Distributed .ash "ables D."!. "he #ollaborative $etwork Security %anagement System #$S%S! 37;8 aims to develop a new collaboration system to integrated well deployed &"% such as $etSecu 37:8. Such distributed security overlay network coordinated with a centralized Security #enter leverage a 'eer-to-'eer communication protocol used in &"%(s collaborative module and virtually interconnect them to e)change network events and security rules. #$S%S also has a huge output from operation e)perience, e.g., traffic data collected by multiple sources in different vantage point, operating reports and security events generated from different collaborative &"%s etc. *s such data is so huge and not easy to analyze in real-time mode, it need to be keep them archived for further forensic analysis. In this paper, we evaluate cloud based solution in Security #enter for traffic data forensic analysis. "he main contribution of our paper is that we propose a practical solution to collect data trace and analyze these data in parallel in a #loud #omputing platform. +e propose to use cloud storage to keep huge traffic data and processing it with cloud computing platform to find the malicious attacks. *s we already operate #ollaborative $etwork Security %anagement System which has big data output. * workable case, phishing attack forensic analysis is presented and the re,uired computing and storage resource are investigated. +e have concluded that this phishing filter functions can be effectively scale to analyze a large volume of trace data for phishing attack detection with #loud computing. "he results also show that this solution is economical for large scale forensic analysis for traffic data.

32 Collaborative Network Security Management System 2.1 System Design and Implementation
#ollaborative $etwork Security %anagement System #$S%S! 37;8 deployed in

multisite is shown in /igure <. %ultisite deployment, includes Bei=ing #apital-Info network, ID# #entury->ink, an enterprise network and a campus network, is to demonstrate the workability of our system. "hese four sites are all managed by #ollaborative $etwork Security %anagement System in Security #enter over Internet. In each site, there are several $etSecu nodes 37:8 which take charge in different network environment to adapt to different physical link respectively.

Figure -2 $he deployment of Collaborative Network Security Management System in Multisite2 During the system(s operating, the collaborative mechanism runs as we e)pected to share security events and rulesets, and new rulesets are enforced on demands as instructed by Security #enter. -perating reports from each $etSecu node and 'rober have been collected and send back to Security #enter. *lso there are a lot of network security events have been observed and recorded in the deployment, such as DDoS reflect attacks, Spam scatter and ad hoc '7' protocols etc.

Cloud based Securi ty Contr ol Cente Collaborative UTM . !attern "atc#ing r $raffic capture

3. Analysis/Rule Genera tion

6. Feedback of 2. Even ts repor Rule Enforcemen t aggregga tion

%. !olicy/&ecure Rule enforcement

Traffic Prober CD
.$raffic capture

Figure 32 $he work principle of Collaborative Network Security Management System with Cloud based Security Center2 /igure 7 illustrates the whole procedure of network security events processing. In general speaking, it is an information control cycle which divides several steps. #ollaborative &"% and 'rober acts as sensors and report the security events and traffic data to Security #enter. "he Security #enter aggregates all the events and digs into the collected traffic data. *fter a detailed analysis and with the assistance of e)pertise manager, Security #enter generates new policy or ruleset to disseminate to each collaborative &"% and 'rober for enforcement, and receive the feedback information.

2.1.1 Traffic Prober

* traffic probe is the building block for recording the raw Internet traffic in connection level. .yperion 3758, "ime %achine 34?-4<8 and $'robe 3478 are all well-known representative pro=ect in this function area. "raffic probe can be designed to focus on specified traffic incurred by certain security event when needed. +e enhance "ime%achine and deployed with "I/* 37@-798 act as prober in separated device or #ollaborative &"% and. "he key strategy for efficiently recording the contents of a high volume network traffic stream comes from e)ploiting the heavy-tailed nature of network trafficA %ost network connections are ,uite short, with a small number of large connections the heavy tail! accounting for the bulk of total volume 34<8. "hus, by recording only the first $ bytes of each connection the cutoff is <@ Bilobyte!, we can record most connections in their entirety, while still greatly reducing the volume of data we must retain. /or large connections, only the beginning of a connection is recorded as the beginning of such connection is the

most interesting part containing protocol handshakes, authentication dialogs, data items names, etc.!.

2.1.2 Collaborative UTM

*cted as collaborative &"%, $etSecu is introduced in 37:8. * $etSecu node consists of the following featuresA <! Incrementally deployable security elementsE 7! Dynamically enableFdisableFupgrade security functionsE 4! 'olicy-instructed collaboration over the Internet. $etSecu node contains "raffic 'rober, "raffic #ontroller, #ollaborator 0lement, and Geporting 0lement to fulfill the above design goals. * collaborator element in $etSecu manages other security elements based on Security #enter(s command. It unites individual $etSecu platforms into a Secure -verlay $etwork. "he communication command between $etSecu nodes and the security center is transmitted in a SS> channel to ensure security. * collaborator can start or stop a security element at runtime. #ollaborators can respond to security event such as limiting the DDoS traffic on demand. $etSecu integrates security functions such as firewall, Intrusion Detection System I'S! and antivirus *1!. "hese functions can be loaded in $etSecu nodes at runtime, and can be dynamically enabled, disabled and upgraded. $etSecu is based on commodity hardware and commonly used Hava with >inu). +ith the multi-core technology matured, $etSecu has a comparable %>//G< %a)imum >oss-/ree /orwarding Gate! with bare >inu) forwarding performance and most of security functions can run in multi-thread model to accelerate the flow processing and pattern matching needed for &"%. $etSecu is also e,uipped with Bypass and self-protection capability to resist DoS attack in case of fault happening and malicious attacks for high availability and survivability.

2.1.3 Sec rity Center

#ollaborative $etwork Security %anagement System #$S%S! is proposed in 37;8 and operated in Security #enter. *s $etSecu nodes could manage security problems in a subdomain and provide '7' communication interfaces, #$S%S orchestrates the

communication between these $etSecu nodes. %ore specifically, #$S%S will achieve the following ob=ectivesA
<

%>//G is the highest forwarding rate with zero packet loss <. 7. 4. 6. @. Security policy collaborative dissemination and enforcementE Security event collaborative notificationE Security ruleset dissemination, enforcement and updateE "rust infrastructureE Scalability.

*nother key function in Security #enter is the forensic analysis of the collected traffic and network security events. +e use cloud computing in Security #enter to store large volume of traffic data origin from different and conduct data analysis to generate new security ruleset as shown the step 9 in /igure 7. /or further instruct the &"% to defeat new attacks, such as botnet, we must investigate the traffic in depth and ac,uire the communication graph of botnet, and generate security rules for enforcement in &"% to suppress the communication in-between bots and bot master. *lso this is workable to resist the DDoS attack launched by Botnet. *s we e,uip the $etSecu node with open source application protocol identification and bandwidth management technology, the Security #enter can instruct the system to be a collaborative distributed traffic management system, which detects and manages the traffic collaboratively after the analysis of collected traffic in Security #enter. It could effectively improve the identification ratio of unknown botnet protocols and throttle the DDoS traffic.

2.2 System !pplication"#otnet S ppression

* typical distributed attack is Botnet, which is e)tremely versatile and are used in many attacks, for e)ample, sending huge volumes of spam or launching Distributed Denial-ofService DDoS! attacks. "he work principle of botnet is shown in /igure <. Suppressing botnets become more and more difficult. "here are many reasons, firstly, the Botmaster will

keep their own botnets as small as possible not only to hide themselves but also to rent the botnets in an easy way, secondly, bots can automatically change their command and control server #I#! in order to hide and rescue themselves.

Botmaster

Bot Bo t Bo t Bo t

t
#I# Server

Figure 42 +otnet structure2 Based on overlay network, #ollaborative $etwork Security System can be used for distributed botnets suppressing system. "his system can automatically collect network traffic from every collaborative &"% in a distributed mode, and then process these collected data in Security #enter. "he detection algorithm proposed by 344-468 is based on behavior feature of botnet, the system will generate and distribute rules when botnets are detected in processing. "he most important feature of this system is its close loop control characteristics, i.e., gather the feedback events resulted from the deployed rules, process and analyze in control node, remove invalid rules to make system more efficient and reliable.

42 Cloud based Forensic Analysis in Security Center

4.< #loud Storage and #omputing platform

+e focus on the traffic data storage and forensic analysis. "he underground cloud storage and computing platform is based on .adoop and 0ucalyptus #loud #omputing. +e also give some analysis the use of #loud #omputing platform based on 0ucalyptus and *mazon 0#7 respectively.

3.1.1 Clo d Storage $it% &adoop

"he .adoop file system with version <.?.< is used for #loud storage system of collected traffic. "he master node is acted as namenode, secondarynamenode, =obtraker, .master, and other node is working as datanode, tasktracker, regionserver.

%aster node

<2bps switch

Slave $ode

Slave $ode

Slave $ode

Slave $ode Slave $ode

Slave $ode

Slave $ode

Slave $ode

Slave $ode

Slave $ode

Slave $ode

Slave $ode

Slave $ode

Slave $ode

Slave $ode

Slave $ode

Slave $ode

Slave $ode

Figure 02 Cloud Storage for traffic collected with collaborative *$M2 "here are totally 6 racks of machines with @,@,6,6 in each rack. "here are <; slave nodes in total. "he topology is shown in /igure 6. *s the .adoop system is used for traffic analysis. "he traffic collected in individual collaborative &"% is aggregated, and uploaded to this cloud platform. 0ach node has an Intel four cores #'& with ;??%.z, and %emory size is 62B, and with a 7@?2 .ardDisk.

+e test the writing throughput for our .adoop system with .adoop(s "estD/SI- utility7. +e also test two scenarios where we write <; files with each size 4??%B and 49 files with each file size <??%B. "he final results are shown in "able 6.

.adoop "estD/SI- command hadoop =ar hadoop-test-<.?.<.=ar "estD/SI- -write -nr/iles <; -fileSize 4?? hadoop =ar hadoop-test-<.?.<.=ar "estD/SI- -write -nr/iles 49 -fileSize <??

"able <. "he average writing throughput of .adoop files system in cloud platform. $hroughput(M+ps) per node File Si5e6-..M+ File Si5e64..M+ 7riting -/ files in total 7riting 49 files in total -8920 M+ps -:-23 M+ps 3.32: M+ps ;.2. M+ps

3.1.2 Clo d Comp ting IaaS Platform 3.1.2.1 Clo d Comp ting based on ' calypt s
In this section, we introduce our #loud #omputing platform based on 0ucalyptus, an open-source platform by $*S* and &buntu 0nterprise cloud. /igure @ shows the 0ucalyptus #loud #omputing platform we used. *s shown in /igure <, 0ucalyptus #ompute consists of seven main components, with the cloud controller component representing the global state and interacting with all other components. *n *'I Server acts as the web services front end for the cloud controller. "he compute controller provides compute server resources, and the -b=ect Store component provides storage services. *n auth manager provides authentication and authorization services. * volume

controller provides fast and permanent block-level storage for the compute servers. * network controller provides virtual networks to enable compute servers to interact with each other and with the public network. * scheduler selects the most suitable compute controller to host an instance.

/igure @. "he #loud #omputing 'latform based on 0ucalyptu s.

-ur computer cluster consists of four-si) heterogonous servers. 0ach server is with the following hardware parametersA <. Intel #ore 7 Juad 'rocessor with <.444 2.z /SB and 7%B cache, double

channel 62B DDG4 with <.?992.z, Intel 26< K I#.:G #hipset and Intel ;7@:6> $etwork #hipsetE 7. Dual Intel Leon@L?? series 'rocessors with Intel @???'K0SB7 chipset, 0@44? K ;2BE 4. Intel Leon @L?? series with /SB - 6.;F@.;9F9.6 2"Fs J'I Speed with Intel @@7?

K I#.<?G chipset, 762B. In 0ucalyptus(s term, there is one cloud controller, and the others are compute nodes. #loud controller acts as the computing portal, task assigner and result aggregation. "here is computing instance affiliated with each compute node. In our usage scenario, we run 6 1%

instances in each compute node, hence there about 76 running instances simultaneously. 0ach computing instance runs the pipeline divided into the following phasesA data fetcher, data processing, and posting computing results. By this method, we can achieve best working efficiency of hardware and software resource(s usage.

3.1.2.2 Clo d Comp ting based on !ma(on

*mazon 0#7 and S4 are used for comparative analysis. "he main purpose to use *mazon service is with comparing purpose to our home-brewed 0ucalyptus system. *s the consideration of user privacy and legal issues, we conduct anonymization processing the data and upload the amazon S4 service.

4.7 )orensic !nalysis of P%is%ing !ttac*

'hishing is an intriguing practical problem due to the sensitive information stolen e.g. monetary user account name and password! and estimated about billion loss in accumulation annually. $ot only the users but also the backing financial institutions such as e-banks and epay systems have been impaired by phishing attacks. "here is already much research works 3:-58 to countermeasure phishing attacks. "o protect web browser user from phishing attacks, plugins to compare visited &G> with blacklist &G> are already provided by main-stream web browsers. 2oogle also provide safe Browser *'I 3<78 for check a &G> in 2oogle collected phishing database. Some research on the >ive#ycle of phishing web site is also given in 3<<8, and the results show that the phishing &G> is ,uite ephemeral, and make the collection of forensics 3<-98 is difficult. It even makes it worse because of the un-awareness of this phishing attack for most of innocent Internet users. 2regor %aier et al. 3778 propose a traffic archiving technology for post-attack analysis in Bro IDS. &sing "imemachine, the network trace data is archived and can be feed back to the IDS with current knowledge of modern attacks to find the forensics of attacks was undiscovered in that time. B. "homas et al. proposed %onarch system 3768 for real-time &G> spam filtering for tweets and spam mails stream. #ompared with %onarch, we put emphasis on phishing forensics analysis of large volume of offline trace with #loud #omputing platform. +ith similar idea, we proposed an offline phishing forensic collections and analysis system. "his system targeted to solve the following challenging problemsA <! .ow to collect the original data to search the phishing attack forensics whereinE

7! .ow to handle the huge volume data in a reasonably short time.

#loud computing platform3<@-<:8 is used for offline phishing attack forensic analysis. /irstly, our #$S%S collect the network trace data and report to Security #enter. Secondly, we have both constructed an IaaS cloud platform 37<8 and use the e)isting cloud platform such as *mazon 0#7 and S4 3<;-7?8 for comparabale reason. *ll phishing filtering operation is based on #loud #omputing platform and running in parallel with Mdivide and con,uer schemeM.

2.2.1 Data trace collection

-ur trace data is an un-interruptible collection about half year with multiple vantage points with &"%(s deployment. "he total size of traffic passed through our vantage points is about 7? "B. "he total data is about 7?"B and divided into @<7%B data blocks. "ypically, a typical @<7% data block consists of about 6?B &G>s. *n e)plored &G>(s distribution is shown as shown in /igure 9.

Tencent qq Cloud Computing based Forensic Analysis for Collaborative Network Security Management Systems........................................................................1 t...........9 .1 !ucalyptus.............................................................................................19 ." Ama#on A$S........................................................................................"% . !stimated t&e number of instances......................................................"1 others

/igure 9. &G>s distribution in a typical @<7% trace data.

"he e)perimental data is about <"B when collected in a cut-off mode in a collaborative &"%. "he data trace is still growing in the size during our e)periments.

2.2.2 Data anonymi(ation

"o protect user(s privacy and avoid legal issues in the research, the trace data is anonymized to replace I' and other user information before the data processing in *mazon 0#7.

2.2.3 Data processing

"he data processing procedure are divided in different phases which are shown as followsA <! /ile splittingA 0ach packet capture file created by "ime %achine is @<7 %B, and is further divided into smaller parts for processing by using tcpdump 3748. "his is due to the amount of memory used during the e)traction of data from "#' streams will e)ceed the ma)imum physical memory. 7! "#' stream reassemblyA "his stage is to restore the "#' streams in the captured pcap files using tcptrace 3748. 4! &G> e)tractionA *fter e)tracting data from "#' streams, grep is used to find all &G>s contained in the data by searching for lines starting with MGefererA httpAFFM. 6! &G> checkA &G>s found are stored in a file to be checked for phishing by using 2oogle Safe Browsing *'I 3<78. In order to check &G>s for phishing sites, we use phishing site data provided by 2oogle. 2oogle provides the first 47 bits of phishing sites( S.*7@9 values for users to use. If a match is found between a &G>(s S.*4@9 value is found, the full 7@9 bits hash value is sent to 2oogle to check the site. %ore details on data provided by 2oogle can be found in 2oogle Safe Browsing *'I(s documentation 3<78. During the process of comparing &G>s( hash values, a prefi) tree is used for matching because the data provided by 2oogle is only 47 bits long and a prefi) tree can do the matching of a &G>(s S.*7@9 value with 2oogle(s data in - <! time. @! Gesult reporter "his stage collects the final results in different machine, and aggregate the final report.

424 <=periments results

+e conduct our evaluation e)periment both on 0ucalyptus and *mazon *+S for the comparison purpose.

3.1 Eucaly tus

+e also run the phishing data block processing task in home-brewed 0ucalyptus platform with Intel #ore 7 Juad 'rocessor with <.444 2.z /SB and 7%B cache, double channel 62B DDG4 with <.?992.z, Intel 26< K I#.:G #hipset and Intel ;7@:6> $etwork #hipset.

"ime spending in different process stages in 0ucalyptus platform are measured and concluded as shown in "able 7. "able 7. "ime spending in different stage in 0ucalyptus. "#' stream reassembly &G> e)traction &G> check <@O7? <9O7? O@

stage "ime seconds!

It seems prefi)"ree comparison(s speed is ,uite fast and this time spending can be almost ignored. But before &G> check, it need take some time to download the 2oogle Safe Browsing signature libraries, this time spending is ,uite undetermined due to network status and 2oogle servers( response latencies. It is also needed to point out that the m<.small instance in 0#7 is memory constrained without swap partition support. It will cause problems when consuming a large volume of memory e)ceeding the memory usage limit! during trace data analysis.

3.! A"a#on A$S

"race file processing is written in 'ython and e)ecutes on an 0#7 small instance running &buntu >inu) <?.?6. *s >inu)(s command shows, the host #'& is Intel G! Leon G! #'& 0@64? N 7.992.z with cache size 9%B, and <.:2B memory with .igh"otalA 5;7%B, >ow"otalA:46%B!. Different processing stage incurs different time consumption and is measured in "able 4.

stage

"able 4 "ime spending in different micro-stage in processing in *mazon 0#7. "#' stream reassembly &G> e)traction &G> check O7;: O6: <O7

"ime seconds!

#ompared with *mazon case, it seems that the #'& used in in *mazon instance has better

3.3 Esti"ated t%e nu"ber of instances

performance than JL56?? ,uad core #'& in our physical server.

*ssume the time spending in a compute instance to handle a k bytes data block in stage 7!, stage 4!, and stage 6! are t<, t7, t3 in seconds! respectively. *ssume there are m collaborative &"% or prober to collect traffic data, and the average traffic throughput is f bytesFs during the last 76 hours, and the traffic cut-off factor is h. "he number of total instances L in parallel needs to handle all last 76 hours traffic is 0,. <! 0,. 7! T = t!+ t2+ t3 L = (m*f*T*h)/k calculated as followsA

L is also affected by several factors such as the percentages of .""' stream in the traffic, number of &G>s in .""' streams, user(s behavior in e)ploring web sites etc. In the 0ucalyptus(s case, we only run one instance in each physical server. *ssume mP6, f P <??%ByteFs ;??%bps! in < 2bps link, h P?.7 means 7?Q traffic is captured!, each block is 7??% Bytes, "P 6? s, then the number of physical servers or instances! in parallel is calculated as followsA L P (m*f*T*h)/k P6R<??R6?R?.7F7?? P <9 In the *mazon 0#7 case, " P 44?s, and the number of needed 0#7 m<.small instances in parallel is calculated as followsA L P (m*f*T*h)/k P6R<??R44?R?.7F7?? P <47

02 Conclusion
"he #ollaborative $etwork Security %anagement System is very useful to countermeasure distributed network attacks. Its operation resulted in big data outputs, such as network traffics, security events, etc. In this paper, we propose to use cloud computing systems to e)plore the large volume of collected data from #$S%S to track the attacking events. "raffic archiving is implemented in collaborative &"% to collect all the network trace data and the cloud computing technology is leveraged to analyze the e)perimental data in parallel. *n IaaS cloud platform is constructed with 0ucalyptus and the e)isting cloud platform such as *mazon 0#7 and S4 is also used for comparison purpose. 'hishing attack forensic analysis as a workable case is presented and the re,uired computing and storage resource are also evaluated by using real trace data. *ll phishing filtering operation is cloud-based and operated in parallel, and the processing procedure is also evaluated. "he results show that the proposed scheme is practical and can be generalized to forensic analysis of other network attacks in the future.

AC>N?7'<%@M<N$
"his work is supported by %inistry of Science and "echnology of #hina under $ational 5:4 Basic Gesearch 'rogram grants $o.7?<<#B4?7;?@, $o. 7?<<#B4?7@?@, $o.7?<7#B4<@;?<, and $o. 7?<4#B77;7?9!, and $ational $atural Science /oundation of #hina grant $o. 9<744?<9!. "his work is also support with Intel Gesearch #ouncil(s &'- program with the title of Security 1ulnerability *nalysis based on #loud 'latform with Intel I* *rchitecture.

"eferences
3<8 +... *llen, #omputer /orensics, I000 Security I 'rivacy, 1olumeA 4, IssueA 6, 'age s!A @5 - 97, 7??@. 378 %ichael * #aloyannides, $asir %emon, +ietse 1enema, Digital /orensics, I000 Security I 'rivacy, 1olumeA :, IssueA 7, 'age s!A <9 - <:, 7??5. 348 /. Gaynal, S. Berthier, '. Biondi, D. Baminsky, .oneypot forensics part IA analyzing the network, I000 Security I 'rivacy, 1olumeA 7, IssueA 6, 'age s!A :7 - :;, 7??6. 368 /. Gaynal, S. Berthier, '. Biondi, D. Baminsky, .oneypot forensics part IIA analyzing the compromised host, I000 Security I 'rivacy, 1olumeA 7, IssueA @'age s!A :: - ;?, 7??6. 3@8 $. Sklavos, $. %odovyan, 1. 2rorodetsky, -. Boufopavlou, #omputer network securityA report from %%%-*#$S, I000 Security I 'rivacy, 1olumeA 7, IssueA <, 'age s!A 65 - @7, 7??6. 398 B.D. #arrier, Digital /orensics +orks, I000 Security I 'rivacy, 1olumeA :, IssueA 7, 'age s!A 79 - 75, 7??5. 3:8 B. +ardman, 2. Shukla, 2. +arner, Identifying vulnerable websites by analysis of common strings in phishing &G>s, I000 e#rime Gesearchers Summit, 7??5. 3;8 Shu=un >i, G. Schmitz, * novel anti-phishing framework based on honeypots, I000 e#rime Gesearchers Summit, 7??5. 358 G. >ayton, '. +atters, G. Dazeley, *utomatically determining phishing campaigns using the &S#*' methodology, e#rime Gesearchers Summit e#rime!, 7?<?. 3<?8 '. Bnickerbocker, Dongting Su, Hun >i, .umboldtA * distributed phishing disruption system, e#rime Gesearchers Summit e#GI%0(?5.!, 7??5. 3<<8 *n 0mpirical *nalysis of 'hishing Blacklists, #0*S 7??5 Si)th #onference on 0mail and *ntiSpam, Huly <9-<:, 7??5, %ountain 1iew, #alifornia &S*. 3<78 2oogle Safe Browsing v7 *'I httpAFFcode.google.comFapisFsafebrowsingF 2oogle Safe Browsing v7 *'I documentationA httpAFFcode.google.comFapisFsafebrowsingFdevelopersTguideTv7.html 3<48 *'+2, httpAFFwww.apwg.orgF or httpAFFwww.antiphishing.orgFcrimeware.html 3<68 StopBadware, httpAFFstopbadware.orgF 3<@8 +eb search for a planetA the google cluster architecture, I000 %icro %arch-*pril 7??4.

3<98 San=ay 2hemawat, .oward 2obioff, and Shun-"ak >eung, "he 2oogle /ile System, &S0$IL S-S'(?4, -ctober <5-77, 7??4, Bolton >anding, $ew Sork, &S*. 3<:8 Heffrey Dean and San=ay 2hemawat, %apGeduceA Simplified Data 'rocessing on >arge #lusters, &S0$IL -SDI 7??6. 3<;8 Simson >. 2arfinkel, *n 0valuation of *mazon(s 2rid #omputing ServicesA 0#7, S4 and SJS, "echnical Geport "G-?;-?:, .arvard &niversity, 7??:. 3<58 *mazon web services, *mazon elastic compute cloud amazon ec7!, %arch <; 7?<<. httpAFFaws.amazon.comFec7 37?8 *mazon web services, *mazon simple storage service amazon s4!, %arch <; 7?<<. httpAFFaws.amazon.comFs4 37<8 0ucalyptus, open source #loud #omputing platform 0ucalyptus-novaE httpsAFFlaunchpad.netFnova 0ucalyptus-swfitE httpsAFFlaunchpad.netFswift 0ucalyptus-glanceE httpsAFFlaunchpad.netFglance 3778 2regor %aier, Gobin Sommer, .olger Dreger, 1ern 'a)son, 0nriching network security analysis with time travel, Sigcomm 7??;. 3748 "#'trace and "#'D&%', httpAFFwww.tcptrace.orgF and httpAFFwww.tcpdump.orgF. 3768 B. "homas, #. 2rier, H. %a, 1. 'a)son and D. Song, %onarchA 'roviding Geal-"ime &G> Spam /iltering as a Service, to be appeared in 'roc. I000 Symposium on Security and 'rivacy, %ay 7?<<. 37@8 Hun >i, Shuai Ding, %ing Lu, /uye .an, Lin 2uan, Uhen #hen. "I/*A 0nabling Geal"ime Juerying and Storage of %assive Stream Data, <st International #onference on $etworking and Distributed #omputing I#$D#!, 7?<<. 3798 Uhen #hen, Li Shi, >ing-Sun Guan, /eng Lie and Hun >i, .igh Speed "raffic *rchiving System for /low 2ranularity Storage and Juerying, I###$ 7?<7 workshop on '%0#". 37:8 Linming #hen, Beipeng %u, Uhen #hen, $etSecuA * #ollaborative $etwork Security 'latform for in-network Security. 'roc. of the 4rd International #onference on #ommunications and %obile #omputing #%#!, 7?<<. 37;8 Beipeng %u, Linming #hen, Uhen #hen, * #ollaborative $etwork Security %anagement System in %etropolitan *rea $etwork. 'roc. of the 4rd International #onference on #ommunications and %obile #omputing #%#!, 7?<<. 3758 'eter Desnoyers and 'rashant Shenoy, .yperionA .igh 1olume Stream *rchival for Getrospective Juerying, &S0$IL *nnual "echnical #onference 7??:. 34?8 Stefan Borne)l, 1ern 'a)son, .olger Dreger, *n=a /eldmann, Gobin Sommer, Building a "ime %achine for 0fficient Gecording and Getrieval of .igh-1olume $etwork "raffic, I%# 7??@. 34<8 2. %aier, G. Sommer, .. Dreger, *. /eldmann, 1. 'a)son, and /. Schneider, 0nriching $etwork Security *nalysis with "ime "ravel. In 'roc. *#% SI2#-%%, Seattle, +*, *ug. 7??;. 3478 >. Deri, 1. >orenzetti, and S. %ortimer, #ollection and e)ploration of large data monitoring sets using bitmap databases, "rac %onitoring and *nalysis, Han 7?<?.

3448 /uye .an, Uhen #hen, .ongfeng Lu and Song >iang, * #ollaborative Botnets Suppression System Based on -verlay $etwork, the special issue of the International Hournal of Security and $etworks, 1o. :, $o. 6, 7?<7. 3468 /uye .an, Uhen #hen, .ongfeng Lu and Song >iang, 2arlicA * Distributed Botnets Suppression System. 'roc. of the I000 I#D#S, the /irst International +orkshop on $etwork /orensics, Security and 'rivacy $/S'!, 7?<7. 'hishing attack 34@8 "ianyang >i, /uye .an, Shuai Ding, Uhen #hen, >*GLA >arge-scale *nti-phishing by Getrospective Data-0)ploring Based on a #loud #omputing 'latform. I###$ 2rid'eer workshop, 7?<<. 3498 G. Bye, S. *. #amtepe, and S. *lbayrak, #ollaborative intrusion detection frameworkA #haracteristics, adversarial opportunities and countermeasures, in 'roceedings of &S0$IL Symposium on $etworked Systems Design and Implementation, *pril 7??:. 34:8 /. #uppens and *. %ige, *lert correlation in a cooperative intrusion detection framework, I000 Symposium on Security and 'rivacy, 7??7. 34;8 *. .ofmann, I. Dedinski, B. Sick, and .. de %eer, * novelty driven approach to intrusion alert correlation based on distributed hash tables, I000 I##(s 7??:. 3458 Donghua Guan and Uhen #hen et al., .andling .igh Speed "raffic %easurement &sing $etwork 'rocessors, I##" 7??9. 36?8 Hia $i, Uhen #hen et al., * /ast %ulti-pattern %atching *lgorithm for Deep 'acket Inspection on a $etwork 'rocessor, I#'' 7??:. 36<8 Uhen #hen et al., *nti+orm $'&-based 'arallel Bloom filters in 2iga-0thernet >*$, I000 I##(7??9. 3678 Uhen #hen et al., *nti+orm $'&-based 'arallel Bloom filters for "#'-I' #ontent 'rocessing in 2iga-0thernet >*$, I000 >#$ +o$S7??@.